b"                                                         UNITED STATES DEPARTMENT OF COMMERCE\n                                                         The Inspector General\n                                                         Washington, D. C. 20230\n\n\n\n\nApril29, 2011\n\nThe Honorable Darrell Issa\nChairman\nCommittee on Oversight and Government Reform\nU.S. House of Representatives\nWashington, D.C. 205 I 5-614 3\n\nDear Mr. Chairman:\n\nIn response to your request of April 7, 20 I l , we are providing current information on our office's\nopen and unimplemented recommendations (see enclosure 1), none of which fall into the\ncategory of having potential monetary benefits.\n\nAs requested, we also identified what we consider to be the three most important unimplemented\nrecommendations we have made to the Department or its operating units (see enclosure 2). We\nalso wish to note for the Committee that, although recommendations we have made with respect\nto the 2020 decennial census are not part of our top three, we did include them in our inventory\nof open and unimplemented recommendations. The implementation of our 2020 decennial\nrecommendations requires ongoing and long-term action, as well as upfront resources. While it is\nnot possible to calculate precise monetary benefits associated with our recommendations, the\nCensus Bureau stands to achieve cost savings in the billions of dollars if it implements the types\nof reforms we have recommended.\n\nIf you have any questions or require additional information, you or your staff may contact me at\n(202) 482-4661 or Ann Eilers, Principal Assistant Inspector General for Audit and Evaluation, at\n(202) 482-2754.\n\n\n\n\nEnclosures\n\ncc:    The Honorable Elijah Cummings, Ranking Member\n\x0cEnclosure 1: OIG\xe2\x80\x99s Open and Unimplemented Recommendations Since 2007\n\n\n\n                   Open and Unimplemented Recommendations Since 2007*\n                                  (as of April 29, 2011)\nCalendar Year     Recommendations Recommendations Recommendations Recommendations\n                       Made            Still Open            Still      Implemented\n                                                         Unimplemented Since March 24,\n                                                                             2010\n     2007              187                   0                  3             46\n     2008              143                   0                  1              7\n     2009              100                   0                32              36\n     2010               93                   0                67              22\n  2011 (as of            8                   8                  8              0\n  4/29/2011)\n     Total               531                  8                  111                 111\n\n\n*The chart was compiled by reviewing all performance audit, evaluation, and inspection reports\nissued by Commerce\xe2\x80\x99s OIG during the period of January 1, 2007, through April 29, 2011. We\nconsider an \xe2\x80\x9copen\xe2\x80\x9d recommendation to be an OIG recommendation that a bureau has not\naccepted, and an \xe2\x80\x9cunimplemented\xe2\x80\x9d recommendation to be a recommendation that a bureau has\naccepted but has not yet implemented. We have not reported on classified or sensitive non-public\nrecommendations, recommendations in financial statement audits, or those addressed to specific\nnon-federal entities in connection with audits of financial assistance awards.\n\x0cEnclosure 2: OIG\xe2\x80\x99s Top Three Open and Unimplemented Recommendations for the\nDepartment of Commerce\n\nBroadband Program Faces Uncertain Funding, and NTIA Needs to Strengthen Its Post-\nAward Operations (OIG-11-005-A), November 4, 2010\n\nThe Recovery Act gave $4.7 billion to NTIA to establish the Broadband Technology\nOpportunities Program (BTOP), a competitive grant program intended to provide funds for\ndeploying broad-band infrastructure in unserved and underserved areas of the United States,\nenhance broadband capacity at public computer centers, improve access to broadband services\nfor public safety agencies, and promote sustainable broadband adoption projects. By September\n30, 2010, NTIA had made almost $4 billion in awards to over 230 recipients, making BTOP the\nlargest grant program that NTIA has managed to date. Now that the awards have been made,\nNTIA must focus on monitoring this diverse portfolio of grants, which were awarded to a wide\nvariety of recipients, including public entities, for-profits, nonprofits, cooperative associations,\nand tribal entities. As part of our continuing oversight of BTOP, we examined NTIA\xe2\x80\x99s efforts to\ndevelop and implement effective policies and procedures, systems, and continuing oversight of\nthe broadband grant awards.\n\nWe made several recommendations to NTIA to improve internal controls, promote transparency,\nand increase efficiency. Specifically, we recommended NTIA strengthen its post-award\noperations by ensuring that agreements with other agencies, manuals and guidance, training and\ndevelopment, and monitoring procedures are clearly documented and fully adhered to. Also,\nwhile BTOP has received funding for the remainder of FY 2011, program funding for future\nyears is uncertain. Therefore, we also recommended that BTOP develop alternative approaches\nto monitoring and oversight based on differing amounts of available funds.\n\na)\t Status of Recommendations: NTIA agreed with our recommendations and has already\n    begun to strengthen its post-award guidance. NTIA is still determining the best way to\n    implement other recommendations, such as how best to use the monitoring data it collects to\n    track recipient performance. NTIA\xe2\x80\x99s ability to develop and actually implement these plans\n    will be affected by future availability of funds.\n\nb) Estimated Cost Savings: Improved post-award operations will help protect this $4 billion\n   dollar investment in the expansion of broadband across the nation. Efficiencies gained\n   through implementing our recommendations will also result in cost savings; however, a\n   specific amount cannot be projected.\n\nc) Whether agency plans to implement the recommendation in the near future: Based on\n   discussions with NTIA, the agency is in the process of strengthening its post-award\n   processes. We will continue to monitor the status of the open recommendations.\n\x0cFederal Information Security Management Act Audit Identified Significant Issues Requiring\nManagement Attention (OIG-11-012-A), November 2010\nAs part of our FY2010 FISMA audit, our office assessed information security controls and\nsecurity-related documentation of 18 systems selected from six of the Department\xe2\x80\x99s operating\nunits. The operating units categorized these systems as high or moderate impact, based upon how\nseverely a security breach would affect organizational operations, assets, or individuals. Seven of\nthe systems we reviewed support three of the Department\xe2\x80\x99s four primary mission-essential\nfunctions, specifically those that directly support government functions necessary to lead and\nsustain the nation during a catastrophic emergency.\nOur assessments found the following:\n\n   \xe2\x80\xa2\t On average, we detected three times the number of vulnerabilities than were identified by\n      the routine self assessments performed by the Department\xe2\x80\x99s operating units.\n\n   \xe2\x80\xa2\t Department systems had not been securely configured.\n\n   \xe2\x80\xa2\t The Department\xe2\x80\x99s plan of action and milestones process for reporting and tracking IT\n      security weaknesses and corrective action is deficient.\n\n   \xe2\x80\xa2\t Contingency plans were not adequately tested and key systems have no alternate \n\n      processing site for their operations in the event of significant disruption. \n\n\n   \xe2\x80\xa2\t Persistent deficiencies in system security plans and control assessments reduce the\n      overall level of information assurance.\nWe made a number of recommendations for improving the Department\xe2\x80\x99s IT security program. In\nparticular, we recommended that the Department improve its vulnerability scanning and\nconfiguration management policies, plan of action and milestones policy, Department-wide\ncontingency plan testing requirements, and security planning and assessment policy. We also\nrecommended that the Department identify all systems without a required alternate processing\nsite, and give top priority to providing sites for these critical systems.\na)\t Status of Recommendations: The Department has agreed with our recommendations and\n    has developed an implementation plan.\nb) Estimated Cost Savings: Implementation of our recommendations will improve the\n   Department\xe2\x80\x99s processes for identifying and remediating security vulnerabilities, as well as its\n   ability to maintain critical information systems in an emergency. These benefits will result in\n   cost savings; however, a specific amount cannot be projected.\nc) Whether agency plans to implement the recommendation in the near future: The\n   Department\xe2\x80\x99s action plan to address these deficiencies is scheduled for completion in the\n   fourth quarter of FY2011.\n\x0cSuccessful Oversight of GOES-R Requires Adherence to Accepted Satellite Acquisition\nPractices (OSE-18291), November 2007\nIn 2005, the Department and NOAA assumed oversight and management responsibility for the\nentire Geostationary Operational Environmental Satellite (GOES-R) program, which is now\nprojected to cost $7.7 billion. This represents a $1.5 billion increase from the original estimate.\nFor the first time, NOAA, rather than NASA, has the lead role in GOES-R\xe2\x80\x99s program\nmanagement and acquisition, thus giving the Department direct oversight authority for both the\nground and space segments. While this change was positive overall, these new roles added risk\nto an already highly complex undertaking. Our review found that the Department lacked a\nworkable oversight structure, not just for GOES-R but for all major acquisitions. Accordingly,\nwe made the following recommendation:\n\n   \xe2\x80\xa2\t Complete and implement the Department\xe2\x80\x99s major system acquisition policy. For satellite\n      programs, ensure the policy incorporates the key decision points in NPR 7120.5D and\n      requires comprehensive independent reviews at all key decision points. (NPR 7120.5D is\n      a NASA policy that NOAA has adopted for its satellite acquisition activities.)\n\n\na)\t Status of Recommendation: The Department agreed to develop a major systems acquisition\n    policy by the third quarter of FY 2008. It further stated that in creating the policy, a key\n    decision point structure would be considered along with other approaches. This deadline was\n    not met.\n   In June 2010, the Secretary directed a comprehensive review of the Department\xe2\x80\x99s acquisition\n   processes. As a result of this review and in conjunction with Commerce\xe2\x80\x99s new enterprise risk\n   management program, the Department is working to improve acquisition oversight.\n   However, the extent to which this will address our recommendation is not yet clear.\nb) Estimated Cost Savings: With an estimated $20 billion to be spent on GOES-R and the\n   Joint Polar Satellite System\xe2\x80\x94two critical environmental satellite systems\xe2\x80\x94over their life\n   cycle, plus $2.6 billion in major IT investments in FY 2010 alone, the Department must have\n   an effective oversight program in place. The benefits gained by implementing our\n   recommendation will result in cost savings; however, a specific amount cannot be projected.\nc) Whether agency plans to implement the recommendation in the near future: The\n   Department has not provided a specific date as to when the recommendation will be\n   implemented. As noted above, it is actively working on this issue at the direction of the\n   Secretary.\n\x0c"